No fix yet for critical RCE bug in open-source Git service Gogs - exploit module is out
Summary
A critical remote code execution (RCE) vulnerability in the open-source Git service Gogs remains unfixed. An exploit module for this vulnerability has been released, and the researcher who discovered it has had no response from the maintainers since reporting it in March.
IFF Assessment
The availability of an exploit module for a critical, unfixed vulnerability poses a significant risk to systems using Gogs, making it bad news for defenders.
Severity
The critical RCE vulnerability allows for remote code execution, which is highly impactful. The availability of an exploit module and lack of a fix significantly increases exploitability.
Defender Context
This situation highlights the dangers of unpatched software, especially open-source projects where maintainer responsiveness can be a bottleneck. Defenders should prioritize inventorying their systems for Gogs instances and be aware that active exploitation of this critical RCE vulnerability is likely.